The traditional method of securing data for many years has been through a user ID and password. Over the years, the recommendations around passwords has changed. Password length has always been important. Adding a single character (i.e. changing from 6 characters to 7) will make it exponentially harder to brute force crack. Using more than the simple 26 characters of the alphabet makes it even harder so it is best to use upper and lower case and special characters to make it take even longer.
It is now 2018 and brute force password cracking is not what any bad guy really wants to do anymore. While it is still a threat, is it as much of a concern as before? A lot of malicious parties have changed their methods. For instance, it is easier to send a specially crafted email that look like it comes from someone you know and it contains a link to a document. The receiving party clicks on the link and it looks like Office 365 login – the person enters his/her credentials to see the document and now the attacker does not need to do a brute force hack.
So what can the IT Security team do if the end users are just going to give up credentials? For starters, make changes to login screens. By using branding, your users can see when they are at their Office 365 login. If there is no branding then the users should question the login. Users are both gullible and smart at the same time. Give them the tools to make better decisions. But is that enough?
The ID and password combination is no longer enough. Multi-factor authentication (MFA) gives the end users another factor in the login process. After users enters their ID and password, they get a notification on their mobile phone to approve the login. MFA is not new and it has been getting better but, as Stephen Hawking said, nothing is fool-proof to a sufficiently talented fool. If they get an authentication request on their phone and did not enter credentials, this could mean that someone else is attempting to login as them. But remember when I said users can be dumb? Too many MFA requests could mean that the end users could approve requests even when it was not from them.
User and entity behavior analytics (UEBA) is the next method to safeguard company assets. By analyzing what end users are doing – how they are logging in normally – IT Security can get notifications when something out of the ordinary occurs. Also, it can lower the number of events for the IT Security teams to analyze. When a user performs a login in New York and ten minutes later attempts a login from Russia, there is a very good chance that someone else got the user’s password as this is an impossible travel situation. It is not always a hack attempt – for instance, a VPN connection can make it look like an impossible travel situation but IT Security should be able to differentiate a VPN connection.
EUBA is something that I am starting to look into for my company. As I research the different products, I will post some more on the topic. Till then, keep safe and remind users to stay diligent.